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In my travels (wonderings really) through the TEMEX code (at least 
let us agree to call it code for the purpose of this memo),' I find that it 
is useful to jot down ideas on protection as they occur. 

I am currently looking at the .LOGIN JSYS and it occurs to me that 
there are ways to control the operator, wheel,... etc., special user 
capabilities. 

1) We could do away with all special user capabilities. (This may 
prove to be unworkable.) 

2) We could limit then to a single fixed terminal- (This may prove to 
be un-political.) 

3) We could signal the operator (the real operator, not just some guy 
with operator capabilities;) that someone is attempting to login 
with special capabilities, whereby the operator could have the 
final say. For instance, the operator can stop the login entirely 
or provide the user with exactly the subset of die capabilities 

he needs to perform the function desired. The operator could 
also establish time limits in this category. 
This, of course, presumes we have a trustworthy operator. In any 
case I throw out these ideas— if in yo,T view they appear worthless --you 
ran throw thera out also. I certify thtt I have the capability to pass on 
the capability that will enable you to hrow these ideas out in case you 
do not have the right to ^arove the* from your environment. 

The obvious point is rhat not only aust we recommend protection 
policies and mechanisms to prevent illega. access to objects, but we should 
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uisr. consider jjtomtoring methods to detect such attempts and logging 
functions that will maintain an audit of ail legal access to some* set of 
family sensitive objects, 



